too long

我们在旧的代码库上使用PHP 5.5(现在)和我们使用的一个集成 SoapClient </ code>告诉我们他们将禁用TLS的使用&lt; 1.2很快。</ p>

目前我们的连接非常简单:</ p>

  $ client = new SoapClient($ soap_url); 
</ code> </ pre>

我们需要做些什么来确保只发送TLS 1.2请求? 我找到了这个答案,但我不完全确定这是否仍适用于我们的情况; 另外,不确定我们是否应该强制 Soap 1.1 </ em>?</ p>

为了确保我们发送TLS 1.2请求,我们有什么要求?</ p>

</ div>

展开原文

原文

We have a site on an old codebase using PHP 5.5 (for now) and one of our integrations we interface with using SoapClient has told us they will be disabling usage of TLS < 1.2 shortly.

Currently our connections are as simple as:

$client = new SoapClient($soap_url);

What do we have to do to make sure only TLS 1.2 requests are sent? I found this answer, but I'm not entirely sure if this still applies to our situation; additionally, not sure we should be forcing Soap 1.1 either?

What are the requirements on our end to make sure we send TLS 1.2 requests?

douhuang2282
douhuang2282 CentOS的。
一年多之前 回复
duanchandun1860
duanchandun1860 toolong
一年多之前 回复

1个回答

When negotiating the connection with the server, your TLS library, let's assume openSSL, is going to tell the server what your maximum supported version is. The server will then choose a version that it, and the client both support. So, assuming your client system supports TLS1.2 there is probably no action required on your part.

TLS 1.2 support was added to OpenSSL in 1.0.1. If you are on el6 or newer and update your packages you should be fine. Check your version like so:

# openssl version
> OpenSSL 1.0.2k-fips  26 Jan 2017

You can check what protocols/ciphers a server supports with this nmap command:

 nmap --script ssl-enum-ciphers -p 443 stackoverflow.com

Now, if you want to test a failure when using TLS1.1, or force a cipher or something, you will need to use PHP's stream_context_create.

With the code below you can force use of TLS1.2 by setting the crypto_method to STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT. Or, perhaps more useful towards what you are asking, you could test the failure when forcing use of STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT.

<?php
$options = ['trace' => 1,
            'soap_version' => SOAP_1_2,
            'exceptions' => true,
            'location' => 'https://stackoverflow.com/foo',
            'uri' => "https://stackoverflow.com/bar",
            'stream_context' => stream_context_create([
                'ssl'=> [
                    'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
                    'ciphers' => 'SHA256'                        
                 ]
             ])];

$client = new SoapClient(null, $options);

try {
    $response = $client->getFoo();    
} catch (\Exception $e){    
    var_dump($client->__getLastRequest());
    var_dump($client->__getLastResponse());
    throw $e;
}


//OR, an even easier test with out a Soap Client...
$opts = [
         'ssl'=> [
             'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
             'ciphers' => 'SHA256',
             'verify_peer' => false,
             'verify_peer_name' => false
         ]
     ];

$context = stream_context_create($opts);
$fp = fopen('https://stackoverflow.com', 'r', false, $context);

If things work with 1.2 and you can generate an error forcing say 1.1 then you can be pretty confident things are setup fine. Errors would be along the lines of:

Warning: fopen(): SSL operation failed with code 1. OpenSSL Error messages: error:140830B5:SSL routines:ssl3_client_hello:no ciphers available

fopen(): Failed to enable crypto

When talking about SOAP version 1.1 vs 1.2 those are just different W3C standards for the Simple Object Access Protocol. More on some of the differences can be found here.

I will just say in closing I've not tested this in PHP 5.5, that is such an old version that these days I don't have an easy way to spin it up. Think this would all still be applicable however.

duanao2688
duanao2688 好的 - 非常感谢。 谢谢你清理它。 :)
一年多之前 回复
dongmou1964
dongmou1964 要明确的是,使用像cURL这样的服务器端http客户端,最终用户的Web浏览器不是一个因素。 他们的浏览器没有建立连接,你的网络服务器是。 不是故意混淆事项/
一年多之前 回复
douliu8327
douliu8327 我只是在进行比较。 连接到服务器并建立安全连接的Web浏览器,就像您的服务器通过cURL与另一台服务器建立安全连接一样。 只要您的服务器不等同于IE6,您就可以了。 你是对的,例如,如果一个Web服务器需要TLS 1.2,一些旧的移动设备Web浏览器最终可能无法通过HTTPS连接。
一年多之前 回复
dqcj32855
dqcj32855 所以它不仅取决于我们的服务器,它还依赖于所使用的客户端浏览器,我们无法做任何事情?
一年多之前 回复
doudou5023
doudou5023 too long
一年多之前 回复
doubi8965
doubi8965 too long
一年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐